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ABSTRACT 



A method and system (100) for monitoring or profiling 
quality of service within one or more information sources in 
a network of computers. The method includes a step of 
providing a network of computers, each being coupled to 
each other to form a local area network. The network of 
computers has a firewall server (110) coupled to the network 
of computers and a distributed trafBc management tool 
coupled to the firewall server. The method also includes 
implementing traffic monitoring or profiling of incoming 
and outgoing information from one of the information 
sources. 

36 Claims, 19 Drawing Sheets 
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DIRECTORY ENABLED POLICY spending more time waiting for information, and less time 

MANAGEMENT TOOL FOR INTELLIGENT on productive activities. For example, a typical user of the 

TRAFFIC MANAGEMENT Internet may spend a great deal of time attempting to view 

selected sites, which are commonly referred to as 

CROSS-REFERENCES TO RELATED s "Websites," on the Internet. Additionally, information being 

APPLICATIONS sent from one site to another through electronic mail, which 

« 1- ^ TTc c KT no/nnn IS termed "e-mail," may not reach its destination in a timely 

lliis present application IS a con t. U.S. Ser. No. 08/999, , ^ m ^- ^ • 

517 (pending) filed Dec, 29, 1997, which is a conlinuadon- °^ V^'f^ quality of service or Quality 

in-part of U S. Ser. No. 60/067,857 filed Dec. 5, 1997, and of Service ( QoS ) of the Internet has decreased to the point 

U.S. Ser. No. 60/047,752 filed May 27, 1997, which are all "^^^'^ ^^es arc bemg read at some time sigmfi- 

hereby incorporated by reference for all purposes. The *=^^^ly ^^^^"^ ^^"^^ messages were sent. 

application is also being filed concurrently with U.S. Ser Quahty of Service is often measured by responsiveness, 

No. 60/110,976 filed Dec. 1, 1998, commonly assigned, and including the amount of time spent waiting for images, texts, 

hereby incorporated by reference for all purposes. ^nd other data to be transferred, and by throughput of data 

15 across the Internet, and the like. Other aspects may be 

BACKGROUND OF THE INVENTION application specific, for example, jitter, quality of playback, 

, . , . . • .1 quality of data transferred across the Internet, and the like. 

The present invention relates to communication or tele- r j . i . ■ i j .i. i i *■ 

1 1 ^ ■ Three main sources of data latency include: the lack of 

communication. More particularly, the present invention , , . , / • ■ \ j .u i 

, . . ■ , .1. J J . f bandwidth at the user (or receivine) end, the general con- 

providcs a technique, mcluding a method and system, for . . j\u i i Jz ^ -j.u . *u 

^ . . . ,7 u J -j.i- 1 ri gestion of Internet, and the lack of bandwidth at the source 

monitoring and allocating bandwidth on a plurality of loca- ? ^ sendin end 

tions or nodes in a telecommunication network at, for ^ bj • 

example, a firewall access point and other positions. As A solution to decreasing data latency includes increasing 

merely an example, the present invention is implemented on ^^e bandwidth of the user. This is typically accomplished by 

a wide area network of computers or workstations such as ^ upgrading the network link, for example by upgrading a 

the Internet. But it would be recognized that the present °' "^t^^rk connection. For example, the network 

invention has a much broader range of applicability includ- "^^y Waded to X2 modems, 56K modems, ADSL 

ing local area networks, a combination of wide and local ^MT modems, ISDN service and modems, cable TV 

area networks and the like service and modems, and the like. Drawbacks to these 

Telecommunication techniques have been around for 30 solutions include that they typically require additional net- 

r ,u 1 ^ I u ♦u work service; they also require additional hardware and/or 

numerous years. In the early days, people such as the - j ri , • . . .t i i 

. T 1- -^ilt^A J.^u\.*u^^ soitware, and further they require both the sender and 

Amencan Indians communicated to each other over long • . . • .1 1 j 1 , 

, . « 1 ■ t 3t 1 • 1 receiver to both agree on using the same hardware and/or 

distances using smoke signals. Smoke signals were gen- _ a^.. 1 1 . ^ i* 

J . . f ■ 1 • f P ™ soitware. Although one user may have a much taster hnc or 

erally used to transfer visual information irom one geo- ^ , , ^ . ^ , . -^^ 

L- 1 1 , . u J , *L iT- 1 raster modem, another user may still rely on the same 1,200 

graphical location to be observed at another geographical 35 , , , , r, , 1 • - . • i- 

f „. 1 ' 1 ij 1 u kbaud modem. So, the speed at which information moves 

location. Since smoke signals could only be seen over a _ , ; , • 1 . • n 

. c \- , J. . ,1, from one location to another locationis often determined by 

limited range 01 geographical distances, they were soon . ...-i- r . , 

1 J u ■ ; • * u ■ 1 * 1 u the slowest information which is being transferred over the 

replaced by a commumcation technique known as telegraph. j-i ^^. .11 .■ 

™ 1 . 11 * r J • f «• f network. Accordingly, users ot taster technology are basi- 

Tele graph generally transrerred intormation trom one geo- „ . . • ^ c . 

u- 1 1 * *i. L- 1 1 *• ■ cally going nowhere, or running nowhere fast, as is 

graphical location to another geographical location using 40 t . , • . 1 • j . 

■i \ * ^ • 1 • .L r c * u J « J u « commonly stated in the network industry, 

electrical signals m the form 01 dots and dashes over ^ ^ 

transmission lines. An example of commonly used electrical P^ora the above, it is seen that a technique for improving 

signals is Morse code. Telegraph has been, for the most part, ^he use of a wide area network is highly desirable, 

replaced by telephone The telephone was invented by SUMMARY OF THE INVENTION 

Alexander Graham Bell in the 1800s to transmit and send 45 

voice information using electrical analog signals over a The present invention relates to a technique, including a 
telephone line, or more commonly a single twisted pair method and system, for providing more quality to telecom- 
copper line. Most industrialized countries today rely heavily munication services. More particularly, the present inven- 
upon telephone to facilitate communication between busi- tion relates to quality of service management using a novel 
ncsses and people, in general. 50 traffic monitoring technique, which is distributed over a 
In the 1990s, another significant development in the network. The present monitoring technique is predominantly 
telecommunication industry occurred. People began com- software based, but is not limited to such software in some 
municating to each other by way of computers, which are embodiments. The present invention also provides a man- 
coupled to the telephone lines or telephone network. These agcment tool for allocating bandwidth, as well as other 
computers or workstations coupled to each other can trans- 55 features. 

mil many types of information from one geographical loca- In a specific embodiment, the present invention provides 

tion to another geographical location. This information can a system with a novel graphical user interface for monitoring 

be in the form of voice, video, and data, which have been a flow of information coupled to a network of computers, 

commonly termed as "multimedia." Information transmitted The flow of information can come from a variety of location 

over the Internet or Internet "trafiBc" has increased dramati- 50 or nodes such as a firewall, a server, a wide area network, a 

cally in recent years. In fact, the increased traffic has caused local area network, a client, and other information sources, 

congestion, which leads to problems in responsiveness and The user interface is provided on a display. The display has 

throughput. This congestion is similar to the congestion of at least a first portion and a second portion, where the first 

automobiles on a freeway, such as those in Silicon Valley portion displays a graphical chart representing the flow of 

from the recent "boom" in high technology companies, 6S information, which comes from one of many locations on 

including companies specializing in telecommunication. As the network. The second portion displays text information 

a result, individual users, businesses, and others have been describing aspects of the flow of information. The combi- 
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nation of the first portion and the second portion describes 
the information being profiled. The display also has prompts 
in graphical or text form or outputs the source of the flow of 
information, where the source can be one of a plurality of 
nodes such as a server, a firewall, a wide area network, a 
local area network, a client, and other information sources. 
The present invention can be distributed over a network by 
way of one or more agents. 

In an altemalive specific embodiment, the present inven- 
tion provides a novel computer network system having a 
real-time bandwidth profiling tool. The real-time bandwidth 
profiling tool has a graphical user interface on a monitor or 
display. The graphical user interface includes at least a first 
portion and a second portion. The first portion displays a 
graphical chart representing the flow of information from at 
least one information source. The second portion displays 
text information describing the flow of information. The 
combination of the first portion and the second portion 
describes the information being profiled. Additionally, the 
graphical user interface has a portion that outputs a graphical 
representation including text or illustration of the source 
itself. The flow of information can be from a variety of 
sources, such as those described above as well as others, to 
provide a distributed profiling tool. 

In still an alternative embodiment, the present invention 
provides a novel bandwidth profiling tool. The present 
bandwidth profiling tool includes a variety of computer 
codes to form computer software or a computer program, 
which is stored in computer memory. The program includes 
a first code that is directed to measuring a data rate for a flow 
of information from an incoming source, which is coupled 
to a node from one of a plurality of sources such as a 
network of computers, for example. The program also has a 
second code that is directed to categorizing the data rate 
from the flow of information based upon at least one of a 
plurality of traffic classes and a third code that is directed to 
outputting a visual representation of the data rate in graphi- 
cal form on a display. A fourth code is used to direct the 
outputting of a text representation of the one of the plurality 
of traffic classes on the display, A fifth code is used to display 
the origin of the flow of information. The origin of the flow 
of information can be one of a plurality of nodes from a 
firewall, a server, a local area network, and wide area 
network, and others. The present invention has a variety of 
other codes to perform the methods described herein, and 
outside the present specification. 

Numerous advantages are achieved by way of the present 
invention over pre-existing or conventional techniques. In a 
specific embodiment, the present invention provides a single 
point or a single region to manage telecommunication trafiBc 
including directory services and bandwidth management. 
Additionafly, in some, if not aU embodiments, the present 
invention can be implemented at a single point of access 
such as a computer terminal or firewall, for example. 
Furthermore, the present invention can be predominately 
software based and can be implemented into a pre-existing 
system by way of a relatively simple installation process. 
Moreover, the present invention provides more valued appli- 
cations and users with a more reliable and faster service. 
Less critical applications and users are provided with a 
service level that is appropriate for them in some embodi- 
ments. In most embodiments, available bandwidth in a 
system is fairly shared between equally prioritized users 
(e.g., no user can monopolize or "hog" the system). Still 
further, link efficiency improves due to overall congestion 
avoidance in most cases. Moreover, the present invention 
implements its traffic management technique using a simple 
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and easy to use "rule" based technique. Still further, the 
present invention has tools that are distributed at one or more 
locations on the network to monitor traffic on an enterprise 
level rather than a single point or node on the network. 

5 Accordingly, the present invention provides an "end to end" 
full cycle traflSc management program. Depending upon the 
embodiment, one or more of these advantages can be 
present. These and other advantages are described through- 
out the present specification, and more particularly below, 

10 Further understanding of the nature and advantages of the 
invention may be realized by reference to the remaining 
portions of the specification, drawings, and attached docu- 
ments. 

^5 BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is a simplified diagram of a system according to an 
embodiment of the present invention; 

FIG. 2 is a simplified block diagram of system architec- 
ture according to an embodiment of the present invention; 

FIG. 3 is a simplified diagram of a traffic management 
cycle according to an embodiment of the present invention; 

FIGS. 4-7 are simplified diagrams of systems according 
to various embodiments of the present invention; 
25 FIG. 8 is a simplified flow diagram of a rule-based control 
method according to the present invention; 

FIGS. 9-15 are simplified representations of graphical 
user interfaces for monitoring traffic according to the present 
invention; and 

30 FIGS. 16-19 are simplified diagrams of a distributed 
bandwidth management system according to embodiments 
of the present invention; 

DESCRIPTION OF SPECIFIC EMBODIMENTS 

35 An embodiment of the present invention provides inte- 
grated network service policies for firewall platforms, as 
well as other platforms or gateways. Specifically, the present 
invention provides network or firewall administrators with 
the ability to implement policy-based schema for security 

4Q and resource management on firewall platforms. In a specific 
embodiment, resource management includes Network Qual- 
ity of Service (QoS) or "bandwidth" management tech- 
niques. In an exemplary embodiment, the present invention 
provides tools for monitoring traffic for bandwidth 

45 management, as well as other functions. 

Network QoS occurs by managing the resources that 
serve network application traffic, for example. This typicafly 
includes the following resources: fink bandwidth, applica- 
tion server bandwidth (CPU), and buS'er space on generafly 

50 all nodes (end-points, routers and gateways). Typicafly, data 
through-put is limited by the speed of Internet access links 
and by the server CPU capacity, and response time is 
determined by the number of hops in a route, physical length 
of the route, and extent of congestion in the route. There are 

55 various other factors that may affect QoS, such as the 
behavior of TCP/IP, severe congestion anywhere in the 
route, prioritization of traffic along the route, etc. To a 
network administrator, embodiments of the present inven- 
tion provide discrimination of different traffic types and 

60 provide methods for enforcement of traffic flow by manage- 
ment to the above resources, 
DEFINITIONS 

In the present invention, it may assist the reader to 
understand some of the terras described herein. These terms 
65 have been briefly described below. These terras are raerely 
examples and should not unduly limit the scope of the claims 
herein. 
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1. TrafBc Management: A set of techniques or mecha- 
nisms including policies that can be applied in a 
network to manage limited network resources such as 
bandwidth and the like. These techniques are intended 
to improve overall network performance and efficiency. 
They are also intended to provide for more predictabil- 
ity and orderliness in the event of network congestion. 
The techniques should also isolate faults and provide 
visibility into performance problems. Additionally, 
they should meet the diverse user and application 
requirements as per an organization's business goals. 
Furthermore, trafl&c management is intended to 
increase the "good put" traffic, based on the economic 
value and prevent the abuse of network resources. 

2. Quality Of Service (QoS): The concept of Quality of 
Service (QoS) has been analyzed and discussed for a 
number of years in the networking industry, and was 
previously associated mostly with ATM technology. In 
a more generic sense, QoS describes the performance 
specifications that an application requires from the 
underlying infrastructure. Otherwise, the application 
will not run satisfactorily. Some applications are 
designed to run in a best-effort mode and can adapt to 
available bandwidth. Others are extremely sensitive to 
delays. Still others can produce large bursts in traffic 
which affects other applications while providing little 
perceptible improvements to the end-user. QoS speci- 
fications are closely associated with the expectations 
and perceptions of end-users and the organization they 
are part of. 

3. Bandwidth: Bandwidth usually refers to maximum 
available bit rate for a specific application. In a specific 
embodiment, synchronous, interactive, and real-time 
applications, which are bandwidth-sensitive, can 
require minimum bandwidth guarantees, and can 
require sustained and burst- scale bit-rates. On the other 
hand, network administrators may want to limit band- 
width taken by non-productive traffic such as ptish 
technologies like PointCast and others. Even though 
bandwidth may be allocated for specified applications, 
it does not mean that these applications may be using 
that bandwidth. Therefore, a good policy should be to 
enforce when there is competition and demand. 

4. Latency: Latency generally refers to the delay experi- 
enced by a packet from the source to destination. 
Latency requirements are typically specified as mean- 
delay and worst case delay in some cases. Real-time 
audio/video applications such as, for example, DNS, 
HTTP, and TELNET are delay sensitive. Delay is a 
result of propagation delay, due to physical medium 
and queuing at intermediate nodes such as routers, 
gateways, or even servers. A certain portion of the 
delay can be controlled by how the queues are serviced 
at the intermediate nodes, and by controlling conges- 
tion at bottleneck points. Some examples of delay 
measures are packet round-trip delay and connection 
response time. 

5. Jitter: Jitter generally refers to variation in delay (e.g., 
that is, the delay is not constant for all packets of a 
given flow) for a particular application. Real- time 
applications require a worst case jitter. Applications 
such as real-audio and video do some advanced bufif- 
ering to overcome any variation in packet delays — the 
amount of buffering is determined by the expected 
jitter 

6. Packet Loss: Packet loss is a loss in a packet or a 
portion of packets that is generally caused by failure of 
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network elements (e.g., routers, servers) to forward or 
deliver packets. Packet loss is usually an indication of 
severe congestion, overload of an element, or element 
failure (e.g., if a server is down). Even if the packet was 

5 not dropped but just delayed, protocols and applica- 
tions can assume it was lost. Packet loss can cause 
application timeouts, loss of quality or retransmitted 
packets. Packet loss is usually specified as a rate (e.g., 
a real-time video application cannot tolerate loss of 

10 more than one packet for every 10 packets sent). 
Indirect results of packet loss may also be measured 
(e.g., connection retries or data retransmits). 

7. Guarantees: An extreme example of a guarantee is to 
partition bandwidth so that it is not available to other 

15 entities. Guarantee also means a share of the resource, 
e.g., minimum bandwidth or maximum latency. 

8. Best-effort: Best-efforts describes a service on best- 
effort basis but makes no guarantees. 

9. Limits: Specific physical or theoretical limitation on a 
resource such as bandwidth. Resource utilization or 
admission is limited under certain conditions. 

10. Priority: Level of importance for a specific user, 
application, or data. Create a priority scheme among 

25 different entities so that contention is resolved or ser- 
vice is provided. 

11. Traffic Profiling: Profiling is intended to be defined as 
cumulative details of traffic flows for each active client, 
server, or application without application of any rules. 

30 This includes bandwidth, response time, and failure 
related statistics. Profiling is intended to provide long 
term cumulative snapshots of traffic for capacity plan- 
ning or setting traffic rules. 
The above definitions are merely intended to assist the 

35 reader in understanding some of the terms described herein. 
They are not intended, in any manner, to limit the scope of 
the claims. One of ordinary skill in the art would recognize 
other variations, modifications, and alternatives. 
SYSTEM OVERVIEW 

40 FIG. 1 illtistrates a simplified system 100 according to an 
embodiment of the present invention. The system 100 is 
merely an illustration and should not limit the scope of the 
claims herein. One of ordinary skill in the art would recog- 
nize other variations, modifications, and altematives. The 

45 present invention, which includes a bandwidth management 
tool, can be embodied as a TrafficWare™ firewall server 110 
from Ukiah Software, Inc, but can be others. The bandwidth 
management tool, which sits in the firewall, can monitor 
and/or control information at a single node or more than one 

50 node (i.e., distributed) in the network system. System 100 
typically includes a file server 120, and a plurality of 
computers 130-150, coupled to a local area network (LAN) 
160, and other elements. Firewall server 110 includes a 
typical connection to a wide area network (WAN) 170 and 

55 to a remote LAN 180 (such as an Intranet) and a typical 
network connection 190 to the Internet 200. Attached to 
Internet 200 are Web servers 210 and other computers 220. 

As illustrated, computers such as computer 130, 140, and 
210 communicate using any one or multiple application 

60 layer protocols such as Telnet, file transfer protocol (FTP), 
Hypertext transmission protocol (HTTP), and the like. 
Further, communication across WAN 170 and across net- 
work connection 190 implements transport layer protocols 
such as transmission control protocol (TCP), universal data 

65 protocol (UDP), and the like. LAN 160 and LAN 180 are 
preferably based upon network protocols such as Internet 
protocol (IP), IPX from Novell, AppleTalk, and the like. As 
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shown in FIG. 1, network connection 190 may be acconi- 
plished using Tl, ISDN, Dial-Tip, and other hardware con- 
nections. Computers 120-150 and 210-220 may be any 
suitable make or model of computer that can be coupled to 
a network. The system can also include a variety of other 
elements such as bridges, routers, and the like. 

In an alternative specific embodiment, the present inven- 
tion may be applied to a system with various links accessed 
in servicing a browser request at a remote web server. In this 
embodiment, a client could be dialing in via a 28.8 kbit dial 
up modem to a local Internet service provider (ISP), where 
the ISP may be connected to the Internet by a Tl link. A web 
server may be on a 10 BMS Ethernet LAN, which is 
connected to another ISP via a 56 K frame relay. The web 
server's ISP may be connected to its carrier via a T3 line. 
The chent ISP carrier and the server ISP carrier may both be 
connected by an ATM backbone or the like. Because of this 
asymmetry in this embodiment, any traffic management 
solution should take into account these variations including 
traffic speed and data format described above. Moreover, 
simply upgrading the capacity of a link, in the access path, 
may not offer a viable solution. This present embodiment 
may have the bandwidth requirements shown by way of 
Table 1, for example. 

TABLE 1 



Bandwidth Requirements 



tJsers 



Bandwidth 



Service Offered 



Internet developers, 
individuals, international 
locations where band- 
width is expensive 
Small to medium-sized 
organizations with 
moderate Internet usage 
Medium sized 
organizations with many 
moderate users, smaller 
organizations requiring 
huge amounts of 
bandwidth 

Standard bandwidth for 
Ethernet-based LANs 
Bandwidth usage for 
large organizations or 
[nternec backbones 
Huge bandwidth LAN 
backbone usage for 
medium to large 
organizations 
(hundreds or thousands 
of users) 



28.8 to 56 Ktips Dial-up services, 
ISDN 



56 Kbps to 1.5 Mbps Fractional Tl, 
frame relay 



1.5 Mbps Dedicated Tl circuit 



10 Mbps Ethernet, token ring 

(4 Mbps or 16 Mbps) 
45 Mbps Dedicated T3 circuit 



100 to 1.000 Mbps Fast Ethernet, 
gigabit Ethernet 



15 



25 



30 



35 



40 



45 



50 



As shown above, there exist a large number of diverse 
applications and protocols that are widely used and have 
their own performance requirements. For example, applica- 
tions such as mail (e.g., SMTP) and news (e.g., NNTP) are 
not interactive and are therefore not sensitive to delay. On 
the other hand, applications such as real-time conferencing 
are extremely sensitive to delay but not to packet loss. 
Applications such as TELNET and DNS do not utilize 
significant bandwidth, but are sensitive to delay and loss. 
Conversely, applications such as FTP consume a great deal 
of bandwidth but are not that sensitive to delay. Generally, 
network applications can be categorized as: 

1. Interactive (e.g., delay sensitive) versus non-interactive 
(e.g., delay tolerant); 

2. Bandwidth intensive (bulk data) versus non-bandwidth es 
intensive; and 

3. Bursty versus non-bursty. 
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These categories are merely illustrative and should not 
limit the scope of the claims herein. Additionally, some 
application requirements are dependent on the context of use 
and the nature of data being accessed. Such applications can 
be described as being nominally interactive or nominally 
bandwidth intense. This means the description applies to 
many but not all the situations in which they are used. 

As merely an example, Table 2 provides some illustra- 
tions for these categories. 



Application Class 



Examples 



Low-bandwidth, delay 
sensitive, highly interactive 
High bandwidth, delay sensitive 
High Bandwidth, nominally interactive 

Non-interactive 



DNS. PING, TELNET, CHAT, 
COLLABORATION 
Real-time audio and video 
Web service requests, 
file downloads 
Mail and news 



20 



Table 2: Application Spectrum 

As shown in Table 2, low-bandwidth, delay sensitive, and 
highly interactive applications include, among others, DNS. 
PING, TELNET, CHAT, COLLABORATION. High band- 
width and delay sensitive applications including at least 
real-time audio and video. Additional applications for high 
bandwidth and nominally interactive, or non-interactive 
have also been shown. Again, these applications are merely 
provided for illustration and should not limit the scope of the 
claims herein. 

The present invention can also be used with a number of 
various files. For example, a number of common 
applications, such as FTP and HTTP, can handle a wide 
variety of files. The file types being transferred and down- 
loaded place different demands on the underlying infrastruc- 
ture. Index and HTML files take up limited bandwidth but 
have very mundane contents. On the other hand, GLF, JPEG 
and MPEG, RA and AVI files take up a lot more bandwidth 
but provide a rich multimedia experience to the end-user. In 
fact, push technologies such as PointCast basically down- 
load rich -multimedia bandwidth-intensive files. 

The present invention can also be used with a variety of 
user requirements. For example, networks are facing an 
explosion in the number of (inter) networked applications 
and data accessible through them. Network resources are 
increasingly being used for a wide variety of purposes, 
ranging from business critical to personal. This means that 
policies must ensure that scarce resources (e.g., Internet 
bandwidth) are utilized with the goal of maximizing the 
returns to the organization. These benefits can come from 
direct revenue generating activities or from improved pro- 
ductivity (or reduced loss of productivity). As shown in 
Table 3, for example, at a mythical company called "She- 
bang Software Inc." the highest bandwidth priority has been 
allocated to technical support. However, there is no hard and 
fast rule. As with security policies, decisions should be 
consistent with the needs of the organization. 

TABLE 3 
Shebang Software User Priorities 
Users Application Class Reasons 



Tfechnical support 



Mission critical 



Needs most bandwidth to 
deal with customers who 
need assistance 
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TABLE 3-continiied 

Shebang Software User Priorities 



Users Application Class Reasons 



Sales and marketing 


Critical 


Needs bandwidth to deal 




with potential customers. 






Answer inquires, make 






quotes, transmit multimedia 






presentations 


Upper management and 


Casual 


Needs bandwidth to 


middle nianagemcnt, 




perform tasks necessary to 


admimstrative 




run the business 


Development and 


Personal 


Needs bandwidth to send 


manufacturing 




e-mail, subscribe to Push 






technologies 



The present invention takes into account, in one or more 
embodiments, the factors which are described specifically 
above. Although the above has been generally described in 
terms of a specific type of information, other types of 
information on a network can also be used with the present 
invention. Additionally, the present invention has been 
described in general to a specific system. For instance, the 
present bandwidth management tool can be applied at a 
network's Internet access link. Alternatively, the present tool 
can be applied to a private WAN link to a remote corporate 
site or an access to a server farm (e.g., a group of servers 
located in a special part of the network close to an access 
link, e.g., in a web hosting environment). Alternatively, the 
present invention can be applied to key servers (e.g., 
database/web server) within an organization servicing inter- 
nal and/or external users. Furthermore, the present band- 
width management tool can be applied to any combination 
of the above or the like. Still further, the tool can be 
distributed in one or more locations or nodes in the network, 
e.g., LAN, WAN. 

FIG. 2 is a simplified block diagram 200 of details of 
system architecture according to an embodiment of the 
present invention. The block diagram is merely an illustra- 
tion and should not limit the scope of the claims herein. The 
architecture includes a variety of layers that each interface to 
each other as depicted by the layers. The system includes a 
network layer 211, which interfaces to incoming and out- 
going information to the network. The network can be one 
of a variety including, among others, Ethernet and Token 
Ring. A physical layer 209 is disposed above the network 
layer 211. The physical layer can be personal computers, 
which are commonly called PCs, or network interface 
computers, which are commonly called NCs, or alternatively 
workstations. As merely an example, a personal computer 
can be an IBM PC compatible computer having a '586-class 
based microprocessor, such a Penliuran from Intel 
Corporation, but is not limited to such a computer or 
processor. An operating system ("OS") is used on the 
computer such as WindowsNTD from Microsoft 
Corporation, but can also be other OSs. The system is also 
coupled to a graphical user interface ("GUI") 201 and is 
coupled to directory services such as, for example, LDAP, 
but can be others. A detailed discussion of directory services 
is described in U.S. Pat. Nos. 6,243,815, 6,212,568 and 
6,047,322 which are commonly assigned, and hereby incor- 
porated by reference for all purposes. 

Directory services 224 and GUI 201 couple to an appli- 
cation programming interface ("API") 223. The API is 
coupled to a trafiSc management or bandwidth management 
tool 208 with at least three modules, including a policy 
engine module 231, a FAST module 229, and a FAIR 
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module 227, which will be discussed in more detail below, 
but is not limited to these modules. The bandwidth man- 
agement tool 208 can be predominantly software based and 
is substantially free from any significant hardware or soft- 

5 ware changes in the network. In a preferred embodiment, the 
bandwidth management tool 208 can be loaded onto a server 
without any changes to hardware. In an alternative preferred 
embodiment, the tool can install, configure, and operate on 
a conventional IBM compatible PC running and operating 

10 system such as, for example, Windows NT, but can be 
others. The tool can be deployed at any appropriate point in 
the network data path. The tool can also be stand-alone at the 
WAN access point (e.g., behind the Internet access router or 
behind a firewall), with a conventional firewall or with an 

15 NT based proxy/caching server or application server (e.g., a 
Web server). 

Tool 208 performs incoming and/or outgoing manage- 
ment of information over the network of computers. In a 
specific embodiment, traffic management tool 208 performs 

20 inbound and outbound monitoring and control of flows by 
application, source address, destination address, URL, time 
of day, day of week, day of month, and other variations. In 
a specific embodiment, tool 208 also monitors, controls, and 
produces reports and alarms, which can enhance a whole 

25 Spectrum of traflBc monitoring and control activities ranging 
from bandwidth/latency control to capacity planning. 

In a specific embodiment, the bandwidth management 
tool adapts to "real" changes on any pre-existing networking 
system. For example, network infrastructure management 

30 involves a continuous process of monitoring, reporting, and 
deploying changes to match network growth or changing 
needs in a growing office, for example. These changes exist 
at various levels and time scales. As merely examples, the 
network changes can be to enforce a QoS Policy for a critical 

35 service, add WAN bandwidth, segment the network, upgrade 
a router, choose a guaranteed service level for a web site 
(e.g., user's own wet site), or notify "Mr. Hog" (i.e., a user 
occupying too much bandwidth) that he should schedule his 
large personal downloads at more prudent times such as late 

40 at night, for example. 

In a specific embodiment, the system architecture has 
applications or tools that distribute itself over the network, 
which allow the present tool to monitor one or more nodes 
on the network. In one aspect, the present tool can be 

45 disposed at any source of information such as a router, 
server, a firewall, a bridge, a local area network, a wide area 
network, a client, and other information sources. Further 
details of the distributed bandwidth management product is 
shown by way of the Figs, below. 

50 BANDWIDTH MANAGEMENT PROCESS 

The bandwidth management tool can employ these 
changes using, for example, the process shown in FIG. 3. 
This process is merely an illustration and should not limit the 
scope of the claims herein. As shown, FIG. 3 is a simplified 

55 diagram 300 of a traffic management cycle according to an 
embodiment of the present invention. The traffic manage- 
ment cycle is depicted as a continuous cycle, which includes 
a monitoring phase 301, a creating/applying policy phase 
303, and a reporting/alarming phase 305, but is not limited 

60 to these cycles. That is, these cycles can be separated or 
combined depending upon the application. By way of this 
cycle, the tool can adapt to any changes to the networking 
system according to the present invention. 

In an aspect of the present invention, the present tool can 

65 monitor and control activities at various times, e.g., seconds, 
days, weeks, months, years. Some details with regard to 
these control activities are shown below under the headings. 
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1. Second to second 

The tool provides second to second time scale monitoring 
and control of incoming and outgoing traffic over the net- 
work. As merely an example, the tool ensures that critical or 
more importanl tra£Bc gels a right of way during trafiSc 5 
bursts and provides bandwidth enforcement. Multiple users 
of the network at a specific time can cause the traffic burst. 
Alternatively, multiple sessions on the network at a specific 
time can cause the traffic burst. Once the traffic burst is 
detected, the tool has a control device, which provides lO 
bandwidth enforcement to ensure that the more important 
traffic gets through the network. 

2. Day to day 

The tool provides day to day time scale monitoring and 
control of incoming and outgoing traffic over the network. 15 
As merely an example, the tool manages time of day 
congestion, and responds to intermittent problems or per- 
ceived problems. The tool generally deals with problems or 
Umilations that are very specific and isolated to particular 
users or particular services at particular times that need to be 20 
tracked down quickly. 

3. Week to week 

The tool provides week to week time scale monitoring 
and control of incoming and outgoing traffic over the net- 
work. The tool analyzes traffic usage performance patterns, 25 
what services or hosts are active on the network, and 
troubleshoots chronic problems. In particular, the tool looks 
at aggregates, such as a particular segment of the network, 
and compares Websites or compares groups of users for 
usage of bandwidth and frequency of usage. 30 

4. Longer term activities 

The tool provides long term time scale monitoring and 
control of incoming and outgoing traffic over the network. 
The tool implements changes in organizational priorities, in 
billing. The tool also provides service for new applications 35 
as they are introduced, and provides for capacity planning 
for network resources. The present tool can also be used with 
network stress testing tools to obtain detailed analysis of 
flows and traffic behavior with/without policy enforcement 
before a new application is deployed to change the network 40 
infrastructure. 

Based upon the above description, the present tool can be 
used to monitor and control incoming and outgoing traffic 
over a variety of time frequencies. The lime frequencies 
include second by second, day to day, or long terra, and 45 
combinations thereof, depending upon the application. Of 
course, the lime frequency used depends upon the particular 
network and applications. 

FIGS. 4-7 are simpUfied diagrams of systems according 
to various embodiments of the present invention. These so 
diagrams are merely illustrations and should not limit the 
scope of the claims herein. One of ordinary skill in the art 
would recognize other variations, allemalives, and modifi- 
cations. These systems show various deployment scenarios 
according to the present invention. 55 

1. Internet Service Provider (ISP) 

FIG. 4 is a simplified diagram 400 of the present tool in 
an ISP environment according to the present invention. The 
diagram 400 includes a variety of elements such as an ISP 
LAN 401, which is coupled to network elements including 60 
a remote access concentrator 403, a web server 417, an FTP 
server 415, a router 413, a news server 411, and others. The 
tool 405 is coupled between the ISP LAN and router 407, 
which is connected lo the Internet 409. In this embodiment, 
the ISP is providing a number of services to its customers 65 
and the present tool sits by the Internet link and manages 
inbound and outbound traffic. 
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In a specific embodiment, the system architecture has 
applications or tools that distribute itself over the network, 
which allow the present tool to monitor one or more nodes 
on the network. In one aspect, the present tool can be 
disposed at any source of information such as a router, 
server, a firewall, a bridge, a local area network, a wide area 
network, a client, and other information sources. As merely 
an example, the present tool can be implemented at any 
location that is identified by reference letter B, but can also 
be at other locations. 

2. Web Hosting Deployment 

FIG. 5 is a simplified diagram 500 of the present tool in 
a web hosting environment according to the present inven- 
tion. The diagram 500 includes a variety of elements such as 
a LAN backbone 501, which is coupled to network elements 
including web servers 503, 511, 513, and others. The present 
tool 505 is coupled between LAN 501 and router 507, which 
is connected to the Internet 509. In the present embodiment, 
the tool is being used to manage inbound and outbound 
traffic between some Websites and the Internet. In a specific 
embodiment, most of the data being transmitted is 
multimedia- based, but is not limited as such data. 

In a specific embodiment, the system architecture has 
applications or tools that distribute itself over the network, 
which allow the present tool to monitor one or more nodes 
on the network. In one aspect, the present tool can be 
disposed at any source of infonmation such as a router, 
server, a firewall, a bridge, a local area network, a wide area 
network, a client and other information sources. As merely 
an example, the present tool can be implemented at any 
location that is identified by reference letter B, but can also 
be at other locations. 

3. End-User Deployment 

FIG. 6 is a simplified diagram 600 of the present tool in 
a campus environment according to the present invention. 
The diagram 600 includes a variety of features such as a 
campus network 601, which is coupled to network elements 
such as a desktop PC 603, a UNIX computer 617, an NT 
Server 615, a web server 613, directory services 611, and 
others. A bandwidth management tool 605 is coupled 
between campus network 601 and router 607, which is 
coupled lo Internet 609. In this embodiment, a LAN or WAN 
supports a number of different setups and configurations, 
which compete for bandwidth to access the Internet, The 
present tool acts as an arbitrator for implementing rules, 
enforcing policies, and setting admissions for classes, as 
well as performing other acts. 

In a specific embodiment, the system architecture has 
applications or tools that distribute itself over the network, 
which allow the present tool to monitor one or more nodes 
on the network. In one aspect, the present tool can be 
disposed at any source of information such as a router, 
server, a firewall, a bridge, a local area network, a wide area 
network, a client, and other information sources. As merely 
an example, the present tool can be implemented at any 
location that is identified by reference letter B, but can also 
be at other locations. 

4. Private WAN 

FIG. 7 is a simplified diagram 700 of the present tool 
deployed for a large corporation that has an Intranet as well 
as an Internet. The diagram 700 includes a variety of 
elements or "children" such as a connection to Frankfurt 
715, a connection to London 713, a connection to Hong 
Kong 717, and a connection to Paris 719. Each connection 
or child includes a router 705A, E, D, C, and the present tool 
703 A, E, D, C, which is coupled between the router and the 
hub ("HQ"). In a WAN-based environment, for example, 
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HQ 701 is the hub that handles a number of independent 
systems (e.g., Frankfurt, London, Hong Kong, Paris), which 
can be LAN-based. In this embodiment, the present tool 
703B also sits by the [ntemel 711 and is used to allocate 
bandwidth between the competing children, e.g., Frankfurt, 5 
London, Hong Kong, Paris. Router 705B is coupled between 
tool 703B and Internet 711. 

In a specific embodiment, the system architecture has 
applications or tools that distribute itself over the network, 
which allow the present tool to monitor one or more nodes lO 
on the network. In one aspect, the present tool can be 
disposed at any source of information such as a router, 
server, a firewall, a bridge, a local area network, a wide area 
network, a client, or other information sources. As merely an 
example, the present tool can be implemented at any loca- 15 
tion that is identified by reference letter B, but can also be 
at other locations. 

Although the above descriptions have been made in terms 
of deploying the present tool in selected environments, the 
present tool can also be deployed in other environments. For 20 
example, the present tool can be deployed in any combina- 
tion of the above. Alternatively, the present tool can be 
deployed in any portion of the above environments. Of 
course, the type of environment used by the present tool 
depends highly upon the application. 25 

In a specific embodiment, the tool provides an easy to use 
interface or graphical user interface ("GUI") for perfor- 
mance monitoring and profiling (e.g., accounting). Profiling 
can be based on active services, clients and servers, among 
other parameters. Additionally, profihng of the network can 30 
be started as soon as the tool is installed into the server of 
the network. Accordingly, the tool provides immediate 
accounting and service measurement on a variety of QoS 
measures. 

In a specific embodiment, the present tool generally uses 35 
two mechanisms to implement efificient traffic monitoring 
and traffic control. These mechanisms include processes 
performed by the FAST module and the FAIR module, 
which are shown in FIG. 2, for example. Additionally, the 
present tool uses a policy engine module 231, which over- 40 
sees the FAST module 229 and the FAIR module 227. Some 
details of these modules are described as follows. 

1. FAST Module (Flow Analysis and Session Tagging) 
The FAST module generally provides for monitoring of 

incoming and outgoing information to and from the network 45 
or link. Flow Analysis and Session Tagging ("FAST") 
implements rich, application level traffic classification, and 
measurement. This operation is accomplished without intro- 
ducing slow data paths to minimize latency and maximize 
overall throughout of traffic through the tool management 50 
engine. As shown in the Fig., the FAST module provides for 
classification 203 of information such as parameters 213 
including application, presentation, session, transport, and 
network. The FAST module also provides for measurement 
219 of various parameters. The FAST module is coupled to 55 
the API. 

2. FAIR Module (Flow Analysis and Intelligent 
Regulation) 

llie FAIR module generally implements traffic control 
and manages bandwidth of incoming and outgoing informa- 60 
tion to and from the network or link. Flow Analysis and 
Intelligent Regulation ("FAIR") implements traffic control 
based on a combination of flow control and queuing algo- 
rithms. FAIR'S objective provides inbound and outbound 
traffic management for meaningful lime intervals, reducing 65 
the load on packet classifiers and packet schedulers. The 
FAIR module controls 205 incoming and outgoing informa- 
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tion to and from the network. Additionally, the FAIR module 
controls 205 by parameters 215 such as class, session, burst, 
packet, and others. The FAIR module also controls time 217 
of allocating bandwidth for these parameters. The FAIR 
module is coupled to the API. 
3. Policy Engine Module 

The policy engine module 231 oversees the FAST and 
FAIR modules. The engine module also interfaces with the 
API. In an embodiment, the policy engine module includes 
a security policy 201, a traffic policy 202, and other policies 
221. The security policy provides parameters for securing 
the present tool. The traffic policy defines specific limita- 
tions or parameters for the traffic. 

Some definitions about the various modules have been 
described above. These definitions are not intended to be 
limiting. One of ordinary skill in the art would recognize 
other variations, modifications, and alternatives. 
Additionally, the modules described are generally provided 
in terms of computer software. Computer software can be 
used to program and implement these modules, as well as 
others. The modules can be combined or even separated, 
depending upon the applications. Functionality of the mod- 
ules can also be combined with hardware or the like. In a 
specific embodiment, the present modules are implemented 
on an WindowsNTTM operating system, which has been 
developed by Microsoft Corporation. Of course, other oper- 
ating systems can also be used. Accordingly, the present 
modules are not intended to be limiting in any manner. 

In an embodiment, the present tool can be configured 
based upon at least the following components — traffic 
classes, traffic policies, traffic mles, and traffic entities. Some 
information about these components are described below. 

1. Traffic Classes 

The present tool identifies data flows at a network site 
based on traffic classes. A traffic class is any combination of 
the following, but is not limited to these: 

IP address, sub-net, network, net group, or range of source 
or destination; 

URL of the sender or group of URLs; 

Service (e.g., HTTP, FTP) or groups of services; 

FTP and HTTP, file types can be selected as well; 

Time of day, day of week/month; and 

Inbound and outbound information. 

As shown above, traffic classes are directional. Traffic 
classes configured for inbound traffic are managed sepa- 
rately from traffic classes configured for outbound traffic. 
For example, the present tool may decide to guarantee a 
minimum bandwidth to critical traflSc so that it is not 
affected by congestion from large downloads. Additionally, 
the present tool may want to monitor Push traffic for a while 
and then choose to limit it if it is perceived as a problem. 
Traffic classes can also be for measurement only or for 
control and measurement in some embodiments. These are 
merely examples and should not limit the scope of the claims 
herein. 

2. Traffic Policies 

Traffic policies are generally mechanisms used to control 
the traffic behavior of specific classes. In an embodiment, the 
present tool can configure policy properties which provide, 
for example: 

Bandwidth guarantees — granting classes a minimum 
bandwidth in the presence of congestion or competition; 

Bandwidth limits — establishing a limit on the total band- 
width used by the class; 

Setting priorities — establishing a priority order for band- 
width limiting or servicing traffic from a class. (That is, high 
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priority classes are serviced first and are affected the least 
during contention for bandwidth. Lower priority classes are 
serviced in order of priority and may be more affected by 
congestion or contention); 

Admission control — estabUshing conditions under which 5 
a new network session or service request is admitted or not 
admitted. (This kind of policy establishes a broad bandwidth 
control or service quality for sessions already admitted). 

As shown, the present invention provides policies such as 
bandwidth guarantees, bandwidth limits, setting priorities, 
admission control, and others. It may assist the reader in 
understanding some of the terms used in the policies by 
drawing an analogy with a geographical highway for auto- 
mobiles. For example, bandwidth relates to how fast one can 
go (e.g., fast or slow lane) once a user has entered the stream 
of traffic on the highway. That is, the physical limit for speed 
in the specific lane chosen. Priority is analogous to how 
quickly the user is able to enter the highway and move into 
a designated lane, and how often the user may have to 
temporarily give way to other vehicles during the drive. 
Admission control is analogous to the metered lights at the 20 
entrance of the freeway where one is made to wail under 
certain conditions. Of course, depending upon the applica- 
tions other analogies can be used to explain the policies. 
Additionally, the policies are merely examples and should 
not limit the scope of the claims herein. 25 

3. TralEc Rules 

A rule generally includes a trafiSc class and a policy 
associated with the class. A class can have several policies 
that apply at different lime intervals, *Rule* is also used to 
refer to the policy or to a specific row in the present tool user 
interface. The present tool user interface is described in, for 
example, U.S. application Scr. No. 60/067,857. 

4. Traffic Entities 

The present tool refers to entities in at least two different 
contexts: defining IrafiSc classes and viewing traffic profiles. 
For example, a network entity generally refers to an IP 
address, host, sub-net, IP net, IP range, URL or a group of 
other network entities. A service entity refers to a single 
service or a group of services. A native entity is referred to 
in viewing traffic profiles. No rule setting or configuration is 
required to monitor these entities. When the present tool is 40 
installed, it begins to profile traffic based upon detected 
services, clients, or servers, all of which arc called native 
entities. 

5. Guidelines for Developing Traffic Policies 

The present invention provides some guidelines for devel- 45 
oping traffic policies. For example, to develop meaningful 
and effective traffic policies, the present tool may need to 
understand and take into account one or more of the fol- 
lowing: 

The kind of business being performed by the user over the jq 
Inlernet. If the user is an ISP, the user may need to 
develop a business/pricing model that leverages the 
features of the present tool. If the user is managing 
corporate access to the Internet, the user may want to 
identify any business critical services being provided 
over the Internet 

The priority of clients, servers and URLs hosted in the 
user's network or servers access over the Internet. This 
can be organized as business critical, casual and per- 
sonal. 60 

The properties of different applications being used, 
whether they utilize lots of bandwidth or not. The user 
may also need to account for the type of files commonly 
downloaded by users or from the Web site. 

Measure and analyze traffic using the present tool's pro- 65 
files. Additionally, monitoring of selected entities (e.g., 
users, services) may also be useful. 
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In a further embodiment, the present tool provides some 
general guideUnes of some commonly used applications. 
These guidelines should be used in conjunction with busi- 
ness driven priorities, traffic profiling, and selective real- 
time monitoring to establish an effective traffic policy. 
Selected guidelines are defined as follows, but are not 
limited to these. 
Delay-sensitive low bandwidth applications, such as 
TELNET and DNS, are controlled best by setting a 
high priority policy. The present tool can give the 
highest priority to all network control traffic, such as 
QoS signaling, session establishment, domain lookup 
and routing protocols. 
Streaming multimedia applications, such as Real Audio/ 
Video and Vxtreme, can hog a lot of bandwidth but are 
also delay and bandwidth sensitive. If they are not 
critical, they are controlled best by setting a high 
priority and a policy to limit admission of sessions so 
that bandwidth use is capped but admitted sessions 
have a reasonable quality. 
Push technologies, such as PointCast and Marimba, 
download large files, are not delay or bandwidth sensitive 
and usually not business critical. They are best controlled by 
a hmiting bandwidth policy and a low priority. 
Bulk-data non-interactive applications, such as SMTP and 
NNTP, should be guaranteed a small bandwidth mini- 
mum so that they are not totally squeezed out by 
congestion or control policies. 
Bulk-download, nominally interactive apphcations, such 
as FTP or some HTTP downloads, are commonly used 
in a variety of situations, ranging from critical to 
casual. Differentiating various types of usage in this 
case can usually be made only on the basis of file types 
and/or source or destination addresses. In this case, a 
small minimum can be guaranteed for more important 
use. 

In bulk-download applications (e.g., file size>20 K 
Bytes), overall congestion and burstiness can be con- 
trolled by slightly limiting this traffic, even if it is just 
a little below the total available bandwidth (e.g., 90%). 
The present tool can provide smoothing controls on this 
traffic without impacting overall perceptible perfor- 
mance for these downloads. This is particularly useful 
at lower link speeds (128 K and below). 
Mission critical applications, such as Lotus Notes, Oracle 
SQLNet, and LDAP, are controlled best by setting a 
high priority with a guaranteed bandwidth minimum. 
The above provides some guidelines for commonly used 
applications according to the present invention. Using the 
above guidelines, the present tool can effectively allocate 
bandwidth on a network, for example. Again, the above 
guidelines are merely examples and should not limit the 
scope of the claims herein. 

In a specific embodiment, the present tool provides a 
comprehensive, flexible, rule-based paradigm for imple- 
menting traffic control, as illustrated by a simplified flow 
diagram 800 of FIG. 8. This flow diagram 800 is merely an 
illustration and should not hmit the scope of the claims 
herein. One of ordinary skifl in the art would recognize other 
variations, modifications, and alternatives. Before explain- 
ing the flow diagram, it may assist the reader by reviewing 
some general terms used herein. 

These terms include, among others, "rules" and "classes" 
and "policies." Rules can be created for very specific groups 
of flows or more general groups of flows, which arc com- 
monly all the stuff that transmits to and from a link to a 
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gateway point. Groups of flows are also referred to as traffic monitoring traffic can occur using one of a plurality of user 

classes, but are not limited to such classes. Classes also can interfaces or graphical user interfaces. The present invention 

be defined by source, destination, application, file types, provides a profiles tab 953, which can be selected using a 

URLs, and other features. Policies can be specified to mouse or keyboard interface. The present method begins 

control traffic flows in terms of overall bandwidth 5 with a start step, which is step 951. Upon selecting a profiles 

guarantees, bandwidth limits, priority of service, how indi- tab 953, one of a plurality of tabs is prompted. These tabs 

vidual sessions within a class are serviced or admitted, and represent services 957, server 959, and client 961. These 

other aspects. The present tool also has intelligent policy ^^^^ display relevant traffic statistics by every active service, 

validation that prevent^ users from definmg any contradic- ^^^^^ ^^.^^^^ respectively. By selecting one of the tabs, 

tory or ambiguous rules Policy validation is generally a lo ^^^^^ ^^^^ ^^^^ information in ascending order 

higher level check used by way of the present method. ^y clicking on any header (e.g., Kb Transferred), as illus- 

-Hie present method occurs at start, which is step 801 for ^^^^^^ ^ pj^, 9 for a service tab 900. Other functions that 

example. In general, a flow of information or data or packets ^e performed using one of the profiles and the graphical 

of information enter a gateway point, where the present tool interface include* 

sits. The present method classifies (step 803) the flow of 15 . , „ ^ * „ , . . 

information. Groups of flows can be referred to as traffic ^^^^^ ^h^ ^'^'^.^^ ^ata is updated from the 

classes, but are not limited to such classes. Classes also can pro tiling engine. 

be defined by source, destination, application, file types, Click the Reset button 907, clears all the respective data 

URLs, and other features. Other examples of classes were from the profiling engine. 

previously noted, but are not limited to these classes. In 20 Click the Save As 909 button to save the respective data 

general, step 803 classifies the flow of information received to a log file. The data is saved as tab-separated text, 

into one of a plurality of predetermined classes. Each of the present user interfaces also includes function 

The present tool measures parameters for each of the keys 901 and a tool bar 903, Upon selecting the profiles tab, 

classes in step 805, which were received, for example. These a profiles light or display indication illuminates 911. As 

parameters are based upon the policy or rule, which may be 25 shown, the main profiles tab also includes tabs for services 

applied in a later step. As merely an example, parameters 913, server 915, and client 917. Additional features of the 

include the class itself, file sizes, and other information, various tabs including the services tab, the server tab, and 

which can be used by the policy or rule to apply the policy the client tab are described below and refer to FIGS. 9, 10, 

or rule to improve the quality of service for the network. and 11, respectively, but are not limited to these descriptions. 

After measuring the parameters, the present method applies 30 1. Services Tab 

a time stamp (step 807) on the parameters to correlate the FIG. 9 is a simplified diagram 900 of a representation of 

class of information received to a time, for example. a graphical user interface for a services tab according to the 

A step of determining whether to apply a policy occurs in present invention. In particular, the dialog box displays 

the next step 809. For example, if the class and the time (and cumulative traffic statistics for selected applications. The 

the link state in some embodiments) meet predetermined 35 services tab, which can be selected by default, provides the 

settings, the policy is applied to the class in step 811 through following information: 

branch 810. Alternatively, if one of the elements including Service Name 

the class, the time, or the link state do not meet the This field 919 shows what services (e.g., All Services, 

predetermined settings, the policy does not apply and the FTP, HTTP, SMTP, P0P3, SSL) the network uses. Summary 

process continues to measure parameters through branch 40 statistics for all services (e.g., inbound or outbound) are also 

808. Alternatively, the process continues to measure param- shown. Traffic from services that are not recognized by the 

eters through branch 813 after the policy is applied lo the present tool are indicated as 'Others', 

flow of information for the class. Direction 

Depending upon the application, the policy is used to This field 919 indicates whether the service is inbound or 

improve the quality of service of the network by performing 45 outbound. 

at least one of a number of functions for the class of Note: Inbound and Outbound refer lo the direction of data 

information from the flow. These functions include, among flow, not the request, 

others, bandwidth guarantees, bandwidth limits, setting Kb Transferred 

priorities, admission control. The present process can also This field 923 shows the amount of data transferred in 

halt or stop as shown in step 815. The steps occur, in part, 50 inbound or outbound direction. As shown, the amount of 

by way of the modules, which were previously described, data can be in kilobits transferred. Additionally, the amount 

but can also occur using other techniques including a of data can be referred to as a percentage of all services, 

combination of hardware and software, for example. These Connect Response Time 

sequenceof steps are merely illustrative and should not limit This field 925 indicates an average time to establish a 

the scope of the claims herein. One of ordinary skill in the 55 session. The connect response time is in miUiseconds, but is 

art would recognize other modifications, alternatives, and not limited to this time. The minimum and maximum 

variations. connect response time is also shown in parenthesis. 

In a preferred embodiment, the present invention uses a Request Response Time 

variety of graphical user interfaces for profiling and moni- This field 927 indicates an average response time for an 

tor ing traffic. FIGS. 9A-1 5 are simplified representations of 60 application request. The request response time is in 

graphical user interfaces for monitoring traffic according to milliseconds, but is not limited to this time. The minimum 

the present invention. These representations are merely and maximum request response time is also shown in 

illustrative and should not limit the scope of the claims parenthesis. 

herein. One of ordinary skill in the art would recognize other Note: This measure is application specific and does not 

variations, modifications, and alternatives. 65 apply to all services. For example, for HTTP, it is the time 

FIG. 9A is a simplified flow diagram 950 of a profiling taken by a URL to start sending data after a request for a file 

method according to the present invention. Profiling or was made by a Web browser. 
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Total Sessions 3. Client Tab 

This field (not shown) indicates the total number of FIG. 11 is a simplified diagram 1100 of a representation 

sessions established for this service. of a graphical user interface for a client tab according to the 

present invention. When the client tab 917 is selected or is 

-niis field (not shown) indicates the percentage of connect 5 clicked using a user interface, screen 1100 appears. The 

^ , J . . . * • J n * • 1. f dialog box displays the cumulative traffic statistics for the 

requests that needed to be retried. Retries can resu t from i- r t^u i- * * u -j *u r n • - e 

^ , . 11,., 1 clients. The client tab provides the following mformation, 

network congestion, packets dropped in the network or ^^t limited to such information: 

server congestion. Client 

Server Aborts This field 1101 shows the client host name or IP address. 

This field (not shown) indicates the percentage of sessions Summary statistics for all clients are also shown, 

aborted by the server. Note; The present tool can profile up to 256 clients in 

jinie some embodiments. Subsequent traffic from the clients are 

This field (not shown) indicates the last time the service indicated as 'Others', 

was active, Transferred 

2 Server Tab ^^^^ shows the amount of data transferred to 

no. 10 is a simplified diagram 1000 of a representation ,^ T'""'' °^ ''f''''! 

e . . , - * 47 f 4 u -J- 4 4U transferred. Additionally, the amount of data can be referred 

of a graphical user interface for a server tab accordmg to the , ^ ^ n 

^ ^\ , , . * ^. to as a percentage or all services, 

present invention. Upon selecting or clicking the server tab Round Trio Time 

915, screen 1000 appears. The dialog box displays cumula- -j^^^ ^^j^ ^,5 -^^-^^^ ^^^^^ ^^ip 

tive traffic statistics for every active server. The server tab ^^^^^^ f.^^ j^is client. The round trip time is in 

provides the following information, but is not limited to such milliseconds, but is not limited to this time. The minimum 

information: and maximum round trip time is also shown in parenthesis. 

Server Connect Response Time 

This field 1001 shows the server host name, URL or IP ^ This field 1105 indicates the average time to establish a 

address. Summary statistics for all servers are also shown. session from the client. The connect response time is in 

Note: milliseconds, but is not limited to this time. The minimum 

In one aspect of the invention, the present tool can profile and maximum connect response time is also shown in 

up to 256 servers. Subsequent traffic from new servers parenthesis. 

are indicated as 'Others'. 30 31°^.^^ ?^.^^°?L ■ . ■ . 1 . . • 

This field 1109 indicates the total number of sessions 

Host names can also be displayed in some embodiments. estabUshcd from the client. 

Kb Transferred Retries 

This field 1003 shows the amount of data transferred from -n^is field (not shown) indicates the percentage of connect 

the server. As shown, the amount of data can be in kilobits requests that needed to be retried. Retries can result from 

transferred. Additionally, the amount of data can be referred 35 network congestion, packets dropped in the network or 

to as a percentage of all services. server congestion. 

Round Trip Time Server Aborts 

This field 1005 indicates an average round trip delay for This field (not shown) indicates the percentage of sessions 

packets sent to the server. The round trip time is in aborted by the server, 

milliseconds, but is not limited to this time. The minimum 40 Time 

and maximum round trip time is also shown in parenthesis. This field (not shown) indicates the last time the client 

Connect Response Time received data through the link used by the present tool. 

This field 1007 indicates an average time to establish a The present invention provides the aforementioned tool 

session with the server. The connect response time is in for profiling a variety of information from a flow of infor- 

milliseconds, but is not limited to this time. The minimum 45 mation at a communication link. The tool has an easy to use 

and maximum connect response time is also shown in graphical user interface, which can sort information by at 

parenthesis. least services, client, or server, depending upon the appli- 

Total Sessions cation. The illustrations shown are merely used as examples 

This field 1009 indicates the total number of sessions and should not Limit the scope of the claims herein, 

established to the server. 50 In a specific embodiment, the present invention with 

Retries graphical user interface begins profiling upon installation. In 

This field (not shown) indicates the percentage of connect particular, the present tool is installed onto a server to 

requests that needed to be retried. Retries can result from automatically start profiling traffic in inbound and outbound 

network congestion, packets dropped in the network or directions without any further configuration. The present 

server congestion. ss tool can be stopped and restarted manually from a user 

Server Aborts interface. While the present tool is stopped, profiling is 

This field (not shown) indicates the percentage of sessions interrupted temporarily, 

aborted by the server. The present invention provides additional easy to use 

Access Speed graphical tools to monitor and profile traffic. In one aspect, 

This field (not shown) indicates the bottleneck speed for 60 the present invention takes advantage of a Windows NT"^" 

the route between the present tool as a host and a server. Performance Monitor to monitor traffic for any measurement 

Data Retransmits or control nile that is created. In another aspect, the present 

This field (not shown) indicates the percentage of data invention can launch the Performance Monitor from the 

packets that were retransmitted by the server. 'Administrative Tools' Program group and select counters 

Time 65 for monitoring incoming and outgoing traffic from a link. 

This field (not shown) indicates the last time data was FIG. 12 is a simplified graphical user interface 1200 to 

received from the server. launch a performance monitoring tool according to the 
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present invention. This interface is merely an illustration and in graph or histogram form. Additionally, the chart can have 

should not limit the scope of the claims herein. A method for a maximum vertical scale 1411 such as the 56 for 56 

launching the present tool occurs, in part, by selecting or kbits/second. Furthermore, the chart can have a refreshing or 

clicking on the performance monitor lab 1201. The display updating cycle time 1413. In one aspect, the cycle time can 

shows available traffic classes 1201 (e.g., FTP, HTTP, 5 be manually updated. Alternatively, the cycle time can be 

PointCast), which have been defined in the tra£Bc policy. periodically updated. When using the periodically updating 

Note that a traffic class is not a rule. There may be more than feature, a time interval (e.g., seconds) needs to be specified 

one rule that belongs to the same traffic class. Traffic classes and entered into a field, as shown. 

are created when rules are edited. A traffic class is defined by FIG. IS is a simplified graphical user interface 1500 for 

at least a source, destination, and service properties. The adding or specifying an additional chart according to the 

display includes a group of option buttons 1207 titled present invention. This interface or tool is merely an 

monitor, which allows a user to specify whether the user example and should not limit the scope of the claims herein, 

wants to monitor bandwidth consumption 1209, connect interface allows the user to select the parameters to be 

time 1211, or connect retries 1213 for the selected classes. momtored on the chart. These parameters include, among 

Aprompt box 1215 above the option buttons 1207 provides ^^^^^^^ computer to be monitored 1507 the object 1509, 

a brief explanation of the selected option. A Launch button ' "^""f^' ^^^^l ^^^J^^ ^^}^ Depending on the 

iiAe 1 u . 1 L types or parameters being monitored or profiled, specific 

1205 launches the performance monitor too. To launch the ^J^.^^ ^^^^^ selected These 

present performance monitor tool: ^^^^.^ ij,^,^^^ pj^j ^^1^^ J5j3_ ^j^j jjjg^ 

1 . Select one or more traffic classes 1203 in the list. style 1517, and others. A counter definition 1515 is also 

2. Choose monitor by clicking on an appropriate option 20 made or selected. Once all the changes have been made or 
button (e.g., bandwidth consumption, response lime, selected, the user can add the changes to be monitored by the 
failures) 1207 in the monitor group. tool by pressing or selecting the add button 1501. 

3. Push launch button 1205. Alternatively, the user may start over by selecting the cancel 
As merely an example, FIG. 13 is a simplified graphical button 1503. If the user would like an explanation on any 

user display 1300 for bandwidth consumption according to 25 °f features described in the tool, the user may 

the present invention. As shown, the Fig. is an example of selected either the explain button 1505 or the help button 

Class Bandwidth 1305 monitoring for a few services 1307 course this user mterface is merely an example and 

such as FTP, HTTP. etc. over a 56 Kbit Internet link. The "^ould not be limiting any manner outside the spint and 

vertical axis 1302 illustrates a bandwidth scale from "0" to scope ot the claims. 

"56.0" kbits and the horizontal axis represents time 1306. 30 .y«' an alteraaUve aspect the present monitoring or 

The plurality of line plots 1304 each represent one of the P'^«'^".8 " ^^"""e ^^hart or plot, 

services 1307, which are each color coded 1301 for easy Particular, the present tool can save snapshots of mea- 

reading by the user. The display also includes an object 1309 su'ements 1° » disk file or the like. As merely an example, 

and a computer 1311, which is being used to monitor the P'^**"! ^^^.^t snapshots using the following 

traffic. Accordingly, the present display includes a graphical 35 ^^'i^^^^' °^ «''P^' ^'"'^^ ^^ould not be construed as limit- 
portion 1310 and a text portion 1320. The graphical portion 

includes the pluraHty of plots representing the services for ^o to view/log m the tool to configure a log file; 
bandwidth consumption as functions of time. The text Add measurements to the file and start and/or stop log- 
portion is in the fonm of a legend, but can also include other g^ng. 

information. 40 Furthermore, the present tool provides congestion, 

The illustration in the above Fig. is merely an example utilization, and performance degradation reports, which 

and should not limit the scope of the claims. Although the make day to day troubleshooting much simpler and serve to 

present example has been described in terms of bandwidth justify or validate policy setting decisions. For example, a 

consumption, the present performance monitor tool can also chronic problem affecting a service through a day period 

be used to monitor a variety of other parameters, as dis- 45 (i c-, 24 hour) can be monitored by a combination of 

cussed above. These other parameters include, among real-time monitoring and congestion reports. By monitoring 

others, connect time, or connect retries for the selected and Jxsing the reports, it may be determined that the affected 

classes. Furthermore, the present tool has other types of service is not getting its due share of bandwidth, or a 

charts such as a bar chart, a pie chart, and the like. Of course, limitation exists with the server or in the Internet backbone, 

the parameter being profiled and monitored depends upon so DISTRIBUTED BANDWIDTH MANAGEMENT 

the application. 'n a specific embodiment, the present invention provides 

In an alternative embodiment, the present invention pro- techniques for distributed bandwidth management. The 

vides a user interface for modifying the plots or charts, such present distributed bandwidth management tool can be used 

as the one previously described, as well as others. FIG. 14 lo enable and implement end-to-end QoS ("EQOS") and 

is a simplified interface tool 1400 used to modify chart 55 full-cycle Traffic Management ("FFM") in an enterprise 

styles, scales, charting intervals etc. This tool is merely an network, the Internet, and the like. 

example and should not hmit the scope of the claims herein. Before proceeding to the specific embodiments, however, 
The present tool has an "OK" button for saving or storing "^^y assist the reader to understand the following 
selected chart options. A "cancel" button 1403 is also shown definitions, which should not be Umiting. 
to delete or remove selected chart options. A help button 60 1. Distributed policy management ("DPMA"): DPMAis 
1405 is shown to identify features of any of the chart a technique or solution that enables and implements 
options. Numerous chart options 1407 exist. For example, end-to-end QoS (EGOS) and full-cycle Traffic Man- 
options include, among others, a legend, a value bar, a agemenl (FTM) in an enterprise network and the Inter- 
vertical grid, a horizontal grid, and vertical labels. To select net. 

any one of these options, the user clicks onto the box located 65 2. Full-Cycle Traffic Management ("FTM"): Traffic man- 
next to the option or enters the underlined key designating agement with feedback control for reporting and/or 
the option. Chart options also include a gallery 1409, either monitoring. 
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3. End-end Quality of Service ("EQOS"): EQOS enables 
end-end controls if necessary. In one embodiment, an 
EQOS Agent is installed on the participating client and 
server stations. It is used to enable EQOS support in 
cases where this cannot be done by proxy using 5 
routing/switching/fire walling devices. 

4. Flow Analysis and Measurement Engine ("FAME"); 
FAME detects and measures traffic by business appH- 
cation and/or transaction. FAME provides components 
at a client and/or server to accurately detect requests to 
business applications. It incorporates an application 
definition language which also specifies measurement 
methods for the application. FAME can also be incor- 
porated into a gateway product, a firewall, a switch, or 
router. 

5. Distributed Bandwidth Broker ("DBB"); Server based 
distributed bandwidth management engine for allocat- 
ing trafiGc in an enterprise network or Internet. 

6. User Resolution Service ("URS"): URS transparently 
detects traffic by users who log into a network or server. 
An enterprise network may choose to implement a 
variety of techniques to authenticate users, including 
password based internal directories, remote access 
directories, firewall directories, tokens or smart cards. ^ 
URS provides components that run on the client, direc- 
tory or security server to detect login events and track 
changes to a users network location (e.g., address). This 
provides DBMA with the means to enforce policies 
based on named users/groups, no matter how and 
where they login from. 

7. Enterprise TrafSc Server ("ETS")/Enterprise Policy 
Server ("EPS"): ETS/EPS performs traffic analysis and 
is pohcy mediation server. ETS/EPS generally main- 
tains the integrity of QoS for all requesting and enforc- 35 
ing components in the DBMA solution. Some functions 
include: 

Dynamic traffic and policy analysis; utilizing active moni- 
toring of devices or probing of the network; 

Translates policies into dynamic actions that are commu- ^ 
nicated to enforcement devices via a policy exchange 
protocol or a standard network management protocol, 
e.g., SNMP, TELNET; 

Provides security to the QoS solution, so that no entity can 
work around the enterprise policy; 

Published statistics to management components; and 

Translates external events into changes in policy (event- 
driven policies). 

8. Enterprise Policy Manager ("EPM"): EPM creates 50 
traffic policy, leveraging existing management directo- 
ries. EPM allows the creation and validation of 
business-level enterprise-wide policies relating to traf- 
fic management and security, including policies that are 
created or tuned by events from other programs or 55 
network management solutions. EPM transparently 
leverages existing directory services to access previ- 
ously defined management objects (e.g., users/groups) 
and for storing policies. 

9. Directory Access and Resolution Service ("DARE"): 60 
DARE is generally a directory access and resolution 
engine to access multiple directories. That is one or 
more directories can be accessed by way of this reso- 
lution engine. 

The above definitions are merely intended to assist the 65 
reader in understanding some of the terms described herein. 
They are not intended, in any manner, to limit the scope of 
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the claims. One of ordinary skill in the art would recognize 
other variations, modifications, and altematives. 

The present distributed bandwidth management embodi- 
ment has one of more of these benefits. In one aspect, the 
present invention provides a business-driven policy man- 
agement tool for users and/or transactions. The present 
invention or tool can be implemented into a network without 
substantial changes to the network infrastructure. The 
present tool also can provide control at, for example, a user 
and for a business transaction. The present invention can 
also be implemented to work with a variety of data rates, 
e.g., 100 Mbps to 56 Kbps. Furthermore, the present inven- 
tion can support a full range of traffic controls, including 
queuing, precise rate control, congestion control, 
reservation, class-based allocation and prioritization, and 
others. Still further, the present invention supports a server- 
based and router/switch based controls, separately or 
together. In other embodiments, the present invention pro- 
vides for integrated monitoring, event handling, and event- 
driven policy settings. These and other benefits are described 
in more detail below with reference to the Figs. 

FIG. 16 is a simplified diagram 1600 of a distributed 
policy management ("DPMA^') system according to an 
embodiment of the present invention. This diagram is 
merely an illustration and should not limit the scope of the 
claims herein. One of ordinary skill in the art would recog- 
nize other variations, modifications, and alternatives. The 
system 1600 includes a variety of elements. They include a 
plurality of switches including a workgroup switch 1601, a 
server switch 1603, a backbone switch 1605, and others. The 
system also includes routers such as a data center router 
1607, a WAN router 1609, and others. The workgroup 
switch couples to the backbone switch. The workgroup 
switch also couples to a policy manager 1611, client/server 
1613, an IP video/phone 1615, and voice gateway 1617, 
which includes a phone 1619. The WAN router is coupled 
between the backbone switch and wide area network 1621, 
e.g., Internet. The switch 1603 couples to apphcation server 
1623 and video server 1625. The switch 1603 also connects 
to data center router 1607, which is connected to the 
backbone switch. ThQ backbone switch is connected to a 
variety of elements such as policy services 1627, IP call 
server 1629, DNS/DHCP 1631, NOS authentication 1633, 
directory services 1635, and other elements. The present 
system is merely an example and should not limit the scope 
of the claims herein. 

A variety of quality of services ("QoS") agents are 
distributed throughout the network. One agent is placed in 
the voice gateway. One agent is placed in the application and 
video servers. One agent is at the policy services. An agent 
can also be placed selectively at other locations of the 
network. Each agent is used to monitor and control band- 
width using one of the techniques described herein as well 
as others. Each agent is also coupled to the present DPMA 
tool. Although the system is generally described in terms of 
one or more agents, the system is not limited to such one or 
more agents. 

In one aspect, DPMA includes, among other elements, the 
following components. DPMA has FAME, which is used to 
detect and measure traffic by application and transaction. 
DPMA also has URS, which transparently detects traffic by 
user(s) who log in to the network or server, and EPM, which 
creates traffic policy, leveraging existing management direc- 
tories. DPMA includes EPS/ETS for traffic analysis and 
policy mediation server. An EQOS Agent, which enables 
end-to-end controls if necessary, also is included in the 
DPMA. 
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The present system includes a rich set of network services 
that can be managed using a policy-based approach. As 
merely an example, policies are rules that govern the behav- 
ior of the networking infrastructure in providing services 
such as QoS, security, and voice/video. Policies are usually 5 
stored in a database such as an LDAP compliant directory. 

In one embodiment, the present invention provides a 
technique for policy management. The technique includes a 
framework for managing a services based network. The 
technique also includes delivering and implementing busi- 
ness goals by ensuring that the policies that govern the 
network reflect those goals. The present invention also 
provides for a "self healing" network, which brings the 
network back to its normal operating state upon changes. 
The policy -based, directory-enabled approach allows ser- 
vices to be provided in accordance with user and application 
requirements and to provide a much higher degree of 
automation in the management of the network. This auto- 
mation not only makes management less labor intensive, it 
also improves the timeliness and quality of network 
management — with the ultimate goal being the self- 20 
correcting, self-healing network. 

FIG. 17 is a simplified diagram 1700 of an intelligent 
network according to an embodiment of the present inven- 
tion. This diagram is merely an illustration and should not 
hmil the scope of the claims herein. One of ordinary skill in 25 
the art would recognize other variations, modifications, and 
alternatives. The intelligent network includes a variety of 
elements or building blocks, which can be distributed 
throughout the network. The present network includes a 
graphical management console through which high level 30 
network policies derived from business objectives can be 
created. 

The present network also includes a Meta-Policy Service 
1701, which provides event management and communicates 
with the other elements of the management system such as 35 
the directory services 1703, policy-enabled network 
services, intelligent agents and external systems. In one 
aspect, directory services include user profiles, network 
device information, and network policies, which are inte- 
grated with address management services for IP address 40 
assignment ("DHCP") and name-address resolution ("DNS 
servers"). The network also includes network services such 
as QoS 1709, security 1707, accounting and billing 1711, 
device configuration 1713, and others 1715. Network 
switching 1705 such as routers, switches, firewalls, and 45 
others represent the physical layer of the present network. 

The network further includes intelligent agents that moni- 
tor and control network traffic, and which have application 
level intelligence up to layer seven and others. This not only 
enables them to manage traditional IP services (ftp, telnet, 50 
SMTP and so on) but also business applications and multi- 
media streams that blend voice interactive video and data. 
These agents may be stand alone or embedded in networking 
devices such as switches and routers, that can be enabled to 
intelligently enforce policies such as prioritizing business S5 
critical trafiGc, which gives SAP R/3 traffic priority over 
PointCast ''^^ slock quote updates, for example. The agent can 
also reside on application servers, which takes advantage of 
the intelligence of these end-node devices while off-loading 
the network devices themselves. This takes advantage of the eo 
distributed intelligence of the network and the hosts con- 
nected to it. 

Given the above background, the present invention 
includes other aspects of the network elements, which are 
described below. 65 

The meta-policy service can distribute policies to intelli- 
gent agents, maintains network state information, cor- 
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relates dynamic events, and performs other functions. 
The service can also take corrective action in accor- 
dance with pre-determined network policies such as the 
ones described herein. For example, such an action 
might entail dynamically re-allocating bandwidth 
based on network response time for a critical 
application, or changing the security permissions of a 
given user based on his or her move to a different 
department within a company. 
Directory services is used to implement policy-based 
management. The directory services maintain user 
profiles, network device information as well as network 
policies. Directory services can also be integrated with 
address assignment ("DHCP") and address resolution 
("DNS") servers. This integration can help to automate 
more of the administration of the network and to make 
it simpler to create network policies that are based on 
higher level objects such as users, groups and organi- 
zational units — rather than low level entities such as IP 
or MAC addresses. 
QoS is a service within the intelligent network, and is 
dependent on a policy management framework. In a 
dynamic environment of an IP network, for example, 
the ability to ensure that user and application require- 
ments for throughput and response time are met in a 
timely fashion is important in some cases. It makes it 
possible for service providers to provide differentiated 
services. And it makes it possible for IT managers to 
ensure that business critical applications will not be 
overwhelmed by competing, low priority application 
traffic. Similarly, it makes it possible for applications 
with widely varying latency requirements — voice and 
data, for example — to co-exist on the same network. 
Security services include functions such as access control, 

authentication, authorization, and encryption. 
Device configuration is one of the more complex tasks 
associated with the management of the network, in that 
it is a highly device specific task. This function tends 
therefore to be the province of each individual hard- 
ware vendor. But it lends itself to a policy management 
approach in helping to automate tedious functions such 
as software updates on routers and switches. 
Accounting and billing services go hand in hand with the 
differentiated services approach to managing the net- 
work. Since the value of information varies greatly by 
its timeliness, content, source and destination, it makes 
sense to charge for service on the basis of the value 
delivered. 

Network devices include, for example, switches, routers 
and firewalls. Increasingly, these will tend to be intel- 
ligent devices with embedded intelligent agents, so that 
they become active participants in the policy manage- 
ment framework. 
FIG. 18 is a simplified diagram 1800 of an intelligent 
network according to an alternative embodiment of the 
present invention. This diagram is merely an illustration and 
should not limit the scope of the claims herein. One of 
ordinary skill in the art would recognize other variations, 
modifications, and alternatives. Similar to the Internet itself, 
the present intelligent management system can be imple- 
mented in a decentralized fashion. Decentralization provides 
a variety of benefits of more flexibilhy, more resilience, 
more scalability and a greater adaptability in meeting future 
and/or ongoing needs. The present system includes a policy 
manager 1801 that oversees a network. The policy manager 
includes directory access and a resolution engine 1803. The 
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directory access and resolution engine interface with policy- 
driven services 1805. 'Hiese engines monitor and control 
enablennent and enforcement agents 1813. Additionally, the 
directory access interfaces with management stations net- 
work services 1811 through SNMP. Additionally, directory 5 
access interface switch business systems 1809 via applica- 
tion protocol interface ("APr'). The directory access also 
interfaces with directories and DNS/DHCP address manage- 
ment. Details of the above elements are described in more 
detail below. lO 

1) The Policy Management interface or policy manager: 
The manager is implemented in, for example, a Web 
based, graphical user interface. The interface is pref- 
erably on an MIS managers desk, for example. The 
interface can be used for a variety of functions such as 15 
to profile the network, create policies and to view their 
results. In some embodiments, the manager can be 
implemented at one of many locations. That is, it 
provides a location independent user interface along the 
network. Additionally, the manager can be a Java-based 20 
browser that can be implemented anywhere on the 
network, local, or remote. 

As merely an example, FIG. 19 illustrates a screen 1900 
or graphical user interface (GUI) from the manager, which 
serves to illustrate the look and feel of a policy management 25 
interface. The present Fig. is merely an illustration and 
should not limit the scope of the claims herein. The user 
interface has been configured as rows and columns, where 
the rows represent a trafiQc class or category. Each column 
represents one of many features for each class or category of 
trafiBc. The feature can be, for example, a rule 1901, a sender 
1903, a receiver 1905, a service 1907, time 1909, bandwidth 
allocated 1911, priority 1913, and admissions 1915. 
Through this GUI, the present invention uses policies to 
define both monitoring and control actions. These rules 
incorporate: a traffic class which defines a flow or set of 
flows including source, destination, application and file type. 
Traffic classes can incorporate users and groups — which 
may be defined in repositories such as: 

NT^M domains or Novell's NDS; ^ 

A timeframe; 

A QoS policy (e.g., a bandwidth reservation, a limit or 
guarantee, a priority level). 
The type of signaling or enforcement (e.g., WFQ, RSVP, IP 45 
Precedence) used by that agent. These can be either manu- 
ally configured or, through integration with network man- 
agement platforms, they can be discovered. The GUI also 
allows configuring event- triggered actions, such as invoking 
a QoS control policy when network response time detected 50 
by an intelligent agent falls below the required minimum 
threshold. Alarms and notifications can also be specified, in 
order to determine which events will trigger an alarm, at 
what threshold, and in what form e.g. email notification, 
pager message, SNMP trap, log entry and so on. 55 

2) The Meta-Policy Service performs multiple functions. 
The service provides a meta-directory function, 
through interfacing to one or more directory services 
via a common API, using either LDAP or proprietary 
protocols such as the one used by Novell's NDS. It also 60 
interfaces with address management services such as 
DNS and DHCP (and is aware of DHCP leases). These 
functions may be critical for interfacing with a variety 

of directory services (e.g., LDAP and non-LDAP) and 
for ensuring that it is compliant in environments where 65 
no directories exist or where traffic classes will be 
defined using entities other than a directory entity — 
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such as a DNS name, for example. The service receives 
dynamic network event information from external sys- 
tems such as RMON probes and business applications, 
and can in turn distribute network event information to 
other systems. And the service correlates and evaluates 
events, in order to provide intelligent event handling 
for the various policy-driven services. 

3) Policy Services evaluate and interpret policy requests. 
In responding to policy requests, PDP, these "policy 
decision engines" take several variables into account: 
pre -configured business rules, the nature of the request, 
dynamic events, network topology and the state of the 
network (e.g. utilization). Multiple instances of any 
Policy Service can be deployed in order to improve 
scalability. Each will handle the devices and agents 
within its administrative domain. 

Note: Other services such as a RADIUS server and an 
H.323 gatekeeper could also be considered to be policy 
servers. 

4) Policy Transaction protocols: Such protocols can be an 
essential piece of the policy management framework, 
and include protocols such as RADIUS, COPS and 
DIAMETER. Initially, the Policy Server will often 
support COPS RSVP vl clients and agents (via COPS 
extensions) 

5) Policy Proxy: This is a software module which can 
"push" policies (i.e. configure enforcement policies) on 
devices which arc not "policy aware". A pohcy aware 
device is one that is capable of contacting a Policy 
Decision Engine via a policy Transaction Protocol. The 
present device can support QoS configuration of Cisco 
and Bay network devices. The communication mecha- 
nism wUl be SNMP SET's and or HTTP and or CLI 
and/or Telnet. 

6) Intelligent agents are of at least two kinds (which may 
run on the same device: 

Policy Enforcement Points: These reside in the data path 
and have enforcement capabilities such as blocking/ 
dropping/queuing/modifying packets as they flow 
through the enforcement point. If a policy enforcement 
node does not have sufficient context to make an 
enforcement decision, it may refer to another node, a 
policy decision engine, via a policy transaction proUi- 
col such as COPS. Examples of such agents are routers, 
switches, firewall agents and others running on an NT 
or UNIX servers. These agents may be enforcing a 
policy based on a policy that has been statically 
configured, e.g., give highest priority to any SAP R/3 
packets or simply by honoring the priority that is 
signaled by RSVP or Type of Service (ToS) bits set in 
the incoming packet. 
Policy Enablement Points or Proxies: These also com- 
monly reside on the data path and are capable of QoS 
signaling and can do so on behalf of legacy applications 
which may not be QoS aware. For example, the present 
agent might reside on an NT or UNIX application 
server and enable IP Precedence support by setting the 
TOS bit in the IP header of packets generated by a 
critical application such as an SQL database applica- 
tion. Downstream enforcement points would then 
enforce this TOS-defined priority level using, for 
example, the multi-level queuing capabilities of a 
router. This enablement function implemented on the 
end node can alleviate the processing burden that is 
otherwise imposed on network devices such as routers 
and can eliminate the need for expensive upgrades to 
the router infrastructure. 
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Depending upon the embodiment, one or more of these 
advantages may be present. In one aspect, the present 
invention provides an open, standards-compliant, software- 
based application. In particular, the present tool is software- 
based and has an open architecture that gives it flexibility. 5 
This approach enables the present tool to fit into a wide 
variety of enterprise and service provider network 
environments, to be easily integrated with network devices 
provided by OEM partners, and to inter-operate with trafBc 
management systems provided by other vendors. lO 

In an alternative aspect, the present invention provides a 
very simple tool by way of its user interfaces. The present 
tool also is a Java-based Web interface gives it the location 
independence required for "manage from anywhere" admin- 
istration. Another aspect to simplifying the network manag- 15 
er's life is reducing the number of data repositories that have 
to be maintained and synchronized. The present tooFs "meta 
directory"-likc integration with NT Domains, LDAP direc- 
tories and DNS/DHCP servers means that implementing it 
does not require duplicating yet another data store — and in 20 
fact, the use of any directory service at all is optional. 

In one or more embodiments, the present policy manage- 
ment framework provides a policy-based, directory-enabled 
traffic management, as well as other features. The present 
invention also provides a fully distributed trafiSc manage- 25 
ment system in other embodiments. In one or more aspects, 
the present system is designed to be "open," standards- 
compliant, scalable and robust. The present invention can 
also extended to support not only QoS but also the full range 
of network services that are elements of the intelligent 30 
network. 

EXAMPLE 

Background 

As merely an example, a sample network is configured to 
carry out aspect of the present invention. This is merely an 
example and should not limit the scope of the claims herein. 
One of ordinary skill in the art would recognize other 
variations, modifications, and alternatives. In the present 
example, the hypothetical company is called "Company." ^ 
The following parameters must be met by the network in the 
Company. Company's network includes a local area internal 
network and an external wide area to corporate ofiBces as 
well as the Internet. 

Company has "USER Max" which is a road warrior. 
USER Max must be guaranteed 128 Kb of bandwidth to 
access the corporate servers from all remote offices over 
leased lines, by dialing into the corporate network, or over 
the Internet using a VPN solution. 

A mission critical application is called "CashReg." 
CashReg must be guaranteed 30% of all leased line links 
from remote offices. In addition, each user using this appli- 
cation should be guaranteed 56 Kb, subject to a limit of 80% 
for the application as a whole. 

Company's Web-Site must be guaranteed 20% of the 
Internet access link with high-priority. 

The present bandwidth management tool enforces the 
above parameters in the following manner. 

For User Max: DPMAURS component detects any logins eo 
by User Max and when User Max starts accessing any 
service, the WAN router, dial-in router or firewall serving 
User Max will be signaled by DPMA Policy Server to 
allocate at least 128K bandwidth for User Max against other 
competing traffic. 65 

For Application "CashReg^*: DPMA FAME component 
detects any access to CashReg and the DPMA Policy Server 
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keeps track of the application as a whole, and communicates 
the bandwidth requirement to all the appropriate WAN 
routers or DPMA application server components. The per- 
user 56 Kb minimum is also enforced, but if User Max uses 
CashReg, he will get 128 Kb. 

For the Web Server: High priority Internet service is 
communicated by the Policy Server to Web server EQOS 
Agent. The Agent sets IP Type of Service for all traffic from 
the Web server. In addition, the Policy Server communicates 
the bandwidth requirement to the Internet router, which 
supports this function. If this function is not supported, the 
Server EQOS Agent will assume control of bandwidth as 
well. 

In the foregoing specification, the invention has been 
described with reference to specific exemplary embodiments 
thereof. Many changes or modifications are readily envi- 
sioned. For example, the present invention can be applied to 
manage a variety of TCP/IP network traffic types for the 
Internet and Intranet. Further, the techniques can also be 
applied to Novell SPX, Xerox XNS or any protocol with a 
similar 'flow-control' design that utilizes windows and 
acknowledgment signals (similar to ACK). Alternative 
embodiments of the present invention can also be applied to 
a 'legacy' private WAN running IP as well as native Novell 
protocols if there is a need, (e.g., file server and client/server 
traffic). Further, embodiments of the present invention can 
include monitoring, billing, and reporting features, thus 
allowing for enhanced client billing and internal cost 
accounting of network usage. 

Furthermore, the above descriptions have been described 
in terms of bandwidth management generally and a distrib- 
uted bandwidth management embodiment. It would be 
recognized, however, that aspects of the general bandwidth 
management can be combined with the distributed embodi- 
ment. These embodiments also can be separated and then 
recombined with other features. Accordingly, the invention 
should not be limited to the description in the specific 
embodiments described. These techniques are preferably 
implemented within a firewall platform to solve the provide 
the following benefits: bi-directional bandwidth manage- 
ment of network links carrying TCP traffic; reactive (short- 
time scale) and proactive (long time scale) control mecha- 
nisms; and gateway (local) and end-end (global) techniques 
for bandwidth control. This solution reduces their contribu- 
tion to congestion in the Internet; and operation in a present 
day heterogeneous wide area networks, such as the Internet, 
without requiring any client, server or router changes. 

The specification and drawings are, accordingly, to be 
regarded in an illustrative rather than a restrictive sense. It 
will, however, be evident that various modifications and 
changes may be made thereunto without departing from the 
broader spirit and scope of the invention as set forth in the 
claims. 

What is claimed is: 

1. A graphical user interface for monitoring and managing 
a flow of information, said graphical user interface, com- 
prising: 

said graphical user interface executing on a computer 
coupled between a local network and a remote network, 
said flow of information passing through said 
computer, said graphical user interface having 

a first module for monitoring and measuring said flow of 
information, and wherein said flow of information is 
classified into a traffic classification; 

a second module for implementing traffic control and 
managing bandwidth of said flow of information; 
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a third module, coupled to said first and second module, 
for implementing policy in said first and second 
modules, wherein said policy defines specific limita- 
tions or parameters for said flow of information and 
said bandwidth of said flow of information; 

a display comprising at least a first portion and a second 
portion, said first portion comprising a graphical rep- 
resentation of said flow of information, said second 
portion comprising text describing aspects of said flow 
of information; 

a first dialog box for modifying presentation of traffic flow 
measurements and modifying said policy in response to 
said measurements; and 

whereupon said display also outputs a network location 
from one of a plurality of selected locations for said 
flow of information. 

2. The interface of claim 1 wherein said graphical repre- 
sentation comprises a chart of bandwidth consumption. 

3. The interface of claim 2 wherein said bandwidth 
consumption is a plot of bandwidth consumed against time 
for said network location. 

4. The interface of claim 2 wherein said bandwidth 
consumption is a plurality of plots, each of said plots 
representing consumed bandwidth against time. 

5. The interface of claim 2 wherein said flow of informa- 
tion comprises one of a plurality of traffic classes. 

6. The interface of claim 1 wherein said graphical repre- 
sentation comprises a plot of failure rates against time. 

7. The interface of claim 1 wherein said graphical repre- 
sentation comprises a plot of delay rates against time. 

8. The interface of claim 1 wherein said display is 
oulputted on a computer monitor. 

9. The interface of claim 1 wherein said display is a 
real-time display of a portion of said flow of information. 

10. The interface of claim 1 wherein said network location 
is selected from a graphical representation or text. 

11. The graphical user interface of claim 1, further com- 
prising a second dialog box for adding additional graphical 
charts to said first portion. 

12. The graphical user interface of claim 1, further com- 
prising a save option wherein said first portion and said 
second portion may be saved to computer readable memory 
for later retrieval. 

13. The method of claim 12 wherein said charting band- 
width consumption further comprises plotting bandwidth 
consumed against time for said network location. 

14. The method of claim 12 wherein said charting band- 
width consumption comprises plotting a plurality of plots, 
each of said plots representing consumed bandwidth against 
time. 

15. The method of claim 12 wherein said flow of infor- 
mation comprises one of a plurality of trafSc classes. 

16. A method for use of a graphical user interface for 
monitoring and managing a flow of information, said 
method, comprising: 

executing said graphical user interface on a computer 
coupled between a local network and a remote network, 
said flow of information passing through said 
computer, said graphical user interface having a first 
module, a second module, and a third module; 

monitoring and measuring said flow of information by 
executing said first module, and wherein said flow of 
information is classified into a traffic classification; 

implementing traffic control and managing bandwidth of 
said flow of information by executing said second 
module; 
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implementing policy in said first and second modules, by 
executing said third module, wherein said policy 
defines specific limitations or parameters for said flow 
of information and said bandwidth of said flow of 
5 information; 

displaying, in at least a first portion and a second portion, 
information about said flow of information, wherein 
said displaying comprises graphically representing said 
flow of information on said first portion, and textually 
describing aspects of said flow of information on said 
second portion; 

modifying, through data entry into a first dialog box, 
presentation of trafBc flow measurements and modify- 
ing said policy in response to said measurements; and 

outputting a network location from one of a plurality of 
selected locations for said flow of information. 

17. A computer network system, comprising: 

a computer, said computer coupled between a local net- 
work and a remote network, a flow of information 
passing through said computer; and 

a real-time distributed bandwidth profiling tool executing 
on said computer, said real-time bandwidth profiling 
tool having 

a first module for monitoring and measuring said flow of 
information, and wherein said flow of information is 
classified into a trafiSc classification; 

a second module for implementing traflSc control and 
managing bandwidth of said flow of information; 

a third module, coupled to said first and second module, 
30 for implementing policy in said first and second 
modules, wherein said policy defines specific limita- 
tions or parameters for said flow of information; 

a graphical user interface, said graphical user interface 
comprising at least a first portion and a second portion, 
35 said first portion comprising a graphical representation 
of said flow of information, said second portion com- 
prising text information describing said flow of infor- 
mation; and 

a first dialog box for modifying said first portion, where - 
40 upon said flow of information is derived from one of a 
plurality of selected network locations distributed over 
said computer network. 

18. The computer network system of claim 17 wherein 
said graphical representation comprises bandwidth con- 

45 sumption. 

19. The computer network system of claim 18 wherein 
said bandwidth consumption is a plot of bandwidth con- 
sumed against time. 

20. The computer network system of claim 18 wherein 
50 said bandwidth consumption is a plurality of plots, each of 

said plots representing consumed bandwidth against time. 

21. The computer network system of claim 18 wherein 
said flow of information comprises one of a plurality of 
traffic classes. 

55 22, The computer network system of claim 17 wherein 
graphical representation is selected from a plot of failure 
rates against time or a plot of delay rates against time. 

23. The computer network system of claim 17 wherein 
said graphical representation is selected from a graph, a 

60 histogram, a bar chart, and a pie chart. 

24. The graphical user interface of claim 17, further 
comprising a save option wherein said first portion and said 
second portion may be saved to computer readable memory 
for later retrieval. 

65 25. The graphical user interface of claim 11, further 
comprising a second dialog box for adding additional 
graphical charts to said first portion. 
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26. The method of claim 25 wherein said graphically 
representing further comprises charting bandwidth con- 
sumption. 

27. The method of claim 25 wherein said graphically 
representing further comprises plotting failure rates against 5 
time. 

28. The method of claim 25 wherein said graphically 
representing further comprises plotting delay rates against 
time. 

29. The method of claim 25 wherein said displaying lo 
further comprises outputting on a monitor coupled with said 
computer. 

30. The method of claim 25 wherein said displaying 
further comprises real-time displaying of a portion of said 
flow of information. 15 

31. The method of claim 25 further comprising selecting 
said network location from a graphical representation or 
text. 
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32. The method of claim 25, further comprising 
modifying, through data entry into a second dialog box, said 
graphically representing said flow of information in said first 
portion. 

33. A node for executing the method according to claim 
25. 

34. A communication network comprising at least one 
node according to the method of claim 25. 

35. A computer-readable medium comprising: instruc- 
tions and data written thereon, said instructions and data 
containing information for the method of claim 25. 

36. Electromagnetic signals travelling over a computer 
network comprising: said electromagnetic signals carrying 
information for the method of claim 25. 
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